[noise] psk analysis, and ss/noss modifiers (was Re: Noise Explorer)

Justin Cormack justin at specialbusservice.com
Tue Aug 14 15:23:50 PDT 2018


On 14 August 2018 at 16:56, Trevor Perrin <trevp at trevp.net> wrote:
> OK, so I think there's 2 questions you're answering with the "ss"
> patterns below:
>
>  * You're using the "late" choice for deferred patterns (which you've
> done consistently), and leaving out the "early" option I mentioned.  I
> think I agree with this:  If you've chosen to defer the more-important
> authentication DHs (se and es), it seems you probably would want to
> defer the less-important ss DH that is just supplying a bit more
> forward-secrecy against an unusual attack.  Also, this is fairly
> simple, and doesn't preclude us adding the other patterns later, if we
> think of a reason for them.
>
>  * You're making KKss and IKss identical with existing KK and IK,
> instead of putting the "ss" on the end.  Not sure I agree here, seems
> like it gains us more flexibility to have a different option, and
> perhaps more consistency to have the "ss" modified patterns always
> have "ss" at the end.  Also, it seems possible you might prefer to
> skip the early "ss" for denial-of-service or (in KK) identity-hiding
> reasons.

Ok, well that gives the "always put the ss at the end" rule, which is also
pretty simple. There aren't any other possibilities with any of the non
deferred patterns anyway, so ok with that choice.

> Anyways, I think we're converging on something - if you have time it
> would be great to start a spec and link from wiki, also so we can get
> Nadim some tentative patterns to analyze.

Will do, am away for a bit and not sure how much time I will have immediately
but will see.

For reference these are the patterns if Nadim has time to analyze...

KKnoss:
  -> s
  <- s
  ...
  -> e, es
  <- e, ee, se

IKnoss:
  <- s
  ...
  -> e, es, s
  <- e, ee, se


KKss:
  -> s
  <- s
  ...
  -> e, es
  <- e, ee, se, ss

KXss:
  -> s
  ...
  -> e
  <- e, ee, se, s, es, ss

XKss:
  <- s
  ...
  -> e, es
  <- e, ee
  -> s, se, ss

IKss:
  <- s
  ...
  -> e, es, s
  <- e, ee, se, ss

XXss:
  -> e
  <- e, ee, s, es
  -> s, se, ss

IXss:
  -> e, s
  <- e, ee, se, s, es, ss


K1Kss:
  -> s
  <- s
  ...
  -> e, es
  <- e, ee
  -> se, ss

KK1ss:
  -> s
  <- s
  ...
  -> e
  <- e, ee, se, es, ss

K1K1ss:
  -> s
  <- s
  ...
  -> e
  <- e, ee, es
  -> se, ss

K1Xss:
  -> s
  ...
  -> e
  <- e, ee, s, es
  -> se, ss

KX1ss:
  -> s
  ...
  -> e
  <- e, ee, se, s
  -> es, ss

K1X1ss:
  -> s
  ...
  -> e
  <- e, ee, s
  -> se, es, ss

X1Kss:
  <- s
  ...
  -> e, es
  <- e, ee
  -> s
  <- se, ss

XK1ss:
  <- s
  ...
  -> e
  <- e, ee, es
  -> s, se, ss

X1K1ss:
  <- s
  ...
  -> e
  <- e, ee, es
  -> s
  <- se, ss

I1Kss:
  <- s
  ...
  -> e, es, s
  <- e, ee
  -> se, ss

IK1ss:
  <- s
  ...
  -> e, s
  <- e, ee, se, es, ss

I1K1ss:
  <- s
  ...
  -> e, s
  <- e, ee, es
  -> se, ss

X1Xss:
  -> e
  <- e, ee, s, es
  -> s
  <- se, ss

XX1ss:
  -> e
  <- e, ee, s
  -> es, s, se, ss

X1X1ss:
  -> e
  <- e, ee, s
  -> es, s
  <- se, ss

I1Xss:
  -> e, s
  <- e, ee, s, es
  -> se, ss

IX1ss:
  -> e, s
  <- e, ee, se, s
  -> es, ss

I1X1ss:
  -> e, s
  <- e, ee, s
  -> se, es, ss


More information about the Noise mailing list